B00t2R00t
For boot2root challenge you need to activate the VPN because in this challenge it uses try to hack me platform machine. To download the VPN file, go to profile>access>download the configuration file. Then go open the terminal in Kali Linux, activate the VPN by using this command sudo openvpn<vpn configuration file.ovpn>. Then you're already connected to the VPN.
After that, we need to ping the machine ip address. This is to ensure the machine is already activated, and we can communicate with it. To ping the machine, you need to wait about 10 - 15 minutes after the machine is activated because the machine connection is unstable for a while. After that you can ping it, if you get reply that's mean you already successfully connected. Now let's hack this machine.
First thing we need to do is a port scanning. This step is important because it used to collect information about the machine such as which port is open, service and version. To do a port scan we can use NMAP which one of the network scan tools. In this case, I run a nmap with command -sV -Pn -A <target ip address> In this challenge I found that the port 80 is open which is HTTP service, and it has a keylogger file. Let's check it through browser.
After entering the IP address at browser. It brings to me a page of index which contain keylogger file. Let's download it.
To see the content of skeylogger file, I use command strings for the system to display the data in strings value.
After scroll down a little bit in skeylogger, I found a base64 encoded it may a hint to hack into the system. Let's decode it.
After decode it found it display dracarys. It was a character name for Game of Throne season because this challenge was build according to that season. It also could be a password or username for SSH connection. Before that, let's take a look a little bit about dracarys.
After google about main cast for dracarys, it comes out a result of Emilia Clarke as Daenerys Targaryen. This could be a username or password to log in to ssh. Let's try it.
After a few tries, yups, I get to log in to the system. The username is daenerys and password is dracarys. To connect to SSH this is the syntax username@ipaddress machine . Now lets take a look inside this machine by run ls -la command.
This is directory and file that have in the machine. Let's take a look at .bash_history file. It is because that contains a previous command, so maybe can find some clue where the flag is.
After scrolling a little bit in that file, I found a command that change to another directory, which is cd /home/daenerys/.local/share/ .Let's do it.
Change directory to .local/share/ then i ls the directory to see the content of the directory. There is a zip file which is daenerys.zip. It locks, I need to unlock it by change the permission with this command chmod +x. Then after that, I unzip the file and get djkdsnkjdsn the file. Let's see the content of the file.
After see the content djkdsnkjdsn file, it shows to another directory which is /usr/share/sounds/note.txt.
To see the content note.txt, I directly use cat command to concatenate it cat <path file/file name>. Then it displays I'm khal.... . let's google it khal in character GOT.
This I get after google khal. This could be our password for root login. Lets try it.
To enter root account type su root command and enter khaldrogo as password and its work.
After that, I go home directory by using cd command, it will automatically bring you to root home directory. Then ls in the directory and found root.txt file. Then cat the file. And found base64 encode.
After decode the base64, I get the flag.
EG{TH1S_15_B4S1C_B2r_M@CH1N3_4SUR3!}Last updated